Drupal Suggested Terms Module Multiple HTML Injection Vulnerabilities
BID:29953
Info
Drupal Suggested Terms Module Multiple HTML Injection Vulnerabilities
| Bugtraq ID: | 29953 |
| Class: | Input Validation Error |
| CVE: |
CVE-2008-3500 |
| Remote: | Yes |
| Local: | No |
| Published: | Jun 25 2008 12:00AM |
| Updated: | May 07 2015 05:28PM |
| Credit: | Erich C. Beyrent |
| Vulnerable: |
Drupal Suggested Terms 5.x-1.1 |
| Not Vulnerable: |
Drupal Suggested Terms 5.x-1.2 |
Discussion
Drupal Suggested Terms Module Multiple HTML Injection Vulnerabilities
The Suggested Terms module for Drupal is prone to multiple HTML-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input data.
Exploiting these issues may allow an attacker to execute HTML and script code in the context of the affected site, to steal cookie-based authentication credentials, or to control how the site is rendered to the user; other attacks are also possible.
These issues affect versions prior to Suggested Terms 5.x-1.2.
The Suggested Terms module for Drupal is prone to multiple HTML-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input data.
Exploiting these issues may allow an attacker to execute HTML and script code in the context of the affected site, to steal cookie-based authentication credentials, or to control how the site is rendered to the user; other attacks are also possible.
These issues affect versions prior to Suggested Terms 5.x-1.2.
Exploit / POC
Drupal Suggested Terms Module Multiple HTML Injection Vulnerabilities
Attackers can exploit these issues using a browser.
Attackers can exploit these issues using a browser.
Solution / Fix
Drupal Suggested Terms Module Multiple HTML Injection Vulnerabilities
Solution:
The vendor has released fixes. Please see the references for more information.
Solution:
The vendor has released fixes. Please see the references for more information.
References
Drupal Suggested Terms Module Multiple HTML Injection Vulnerabilities
References:
References:
- Suggested Terms Homepage (Drupal)
- Vendor Homepage (Drupal)
- SA-2008-039 - Suggested terms - Cross site scripting (Drupal)